Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 15:17
Static task
static1
Behavioral task
behavioral1
Sample
392fd72c3ff9c885a22a599a4d4274c97621774731edc007674760116e840fe8N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
392fd72c3ff9c885a22a599a4d4274c97621774731edc007674760116e840fe8N.exe
Resource
win10v2004-20241007-en
General
-
Target
392fd72c3ff9c885a22a599a4d4274c97621774731edc007674760116e840fe8N.exe
-
Size
1024KB
-
MD5
6de238fd3998d15a3ab09cb4f889e1f0
-
SHA1
8dd32b5b8e78129be97909742b33846dad3ffbd0
-
SHA256
392fd72c3ff9c885a22a599a4d4274c97621774731edc007674760116e840fe8
-
SHA512
eae20667b5645efe29cec091dbae13280b106214e50581c3d7cc9d62f4a8fc086a79b7ee2e4617eb3bf6a6bbd53707c2bc28f7c6528910e59d4f4ba57b5e8e56
-
SSDEEP
12288:3b1kY660fIaDZkY660f8jTK/XhdAwlt01PBExKN4P6IfKTLR+6CwUkEoH:3b1gsaDZgQjGkwlks/6HnEO
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqlfaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nameek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgedmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnfqccna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llbqfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aebmjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqijljfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfhkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncnngfna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbflno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncnngfna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgcmbcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aebmjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaimopli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjpaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmdjkhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdkgkcpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Achjibcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdcifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kaajei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmgjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nibqqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Piicpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjdndjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccmpce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odchbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndqkleln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iakgefqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koaqcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbflno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdbdqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnbojmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 392fd72c3ff9c885a22a599a4d4274c97621774731edc007674760116e840fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppnnai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abmgjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmedlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnimiblo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knkgpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbjpom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 392fd72c3ff9c885a22a599a4d4274c97621774731edc007674760116e840fe8N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjhjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cileqlmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbqfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjfnomde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olebgfao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdnmma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmmeon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkhhhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjpdjjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqklqhpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omioekbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaghki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Achjibcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbjpom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpgobc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opihgfop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcljmdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bniajoic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knhjjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knmdeioh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgehno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbmcibjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekiphge.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2972 Fnacpffh.exe 2676 Fdmhbplb.exe 2688 Fnflke32.exe 2808 Gcgnnlle.exe 2604 Gdkgkcpq.exe 2624 Gkglnm32.exe 2600 Hjlioj32.exe 3008 Hfcjdkpg.exe 1256 Hjofdi32.exe 2508 Hpphhp32.exe 1892 Hfjpdjjo.exe 2336 Ihpfgalh.exe 2908 Ijqoilii.exe 2664 Iakgefqe.exe 336 Jdnmma32.exe 1512 Jmfafgbd.exe 1848 Jpigma32.exe 2012 Jbhcim32.exe 848 Jkchmo32.exe 1764 Jbjpom32.exe 1040 Koaqcn32.exe 580 Kaompi32.exe 2196 Kekiphge.exe 836 Kaajei32.exe 2184 Knhjjj32.exe 288 Kadfkhkf.exe 2920 Kpgffe32.exe 2308 Knkgpi32.exe 2724 Knmdeioh.exe 2748 Klpdaf32.exe 2212 Lgehno32.exe 2768 Ljddjj32.exe 3024 Llbqfe32.exe 2628 Lldmleam.exe 1912 Lhknaf32.exe 908 Loefnpnn.exe 1144 Lfoojj32.exe 1684 Lhnkffeo.exe 2260 Mkndhabp.exe 2440 Mqklqhpg.exe 2580 Mgedmb32.exe 668 Mqnifg32.exe 2016 Mjfnomde.exe 272 Mmdjkhdh.exe 2288 Mjhjdm32.exe 2400 Mmgfqh32.exe 1480 Mcqombic.exe 872 Mmicfh32.exe 1592 Mpgobc32.exe 3044 Nbflno32.exe 2456 Nnmlcp32.exe 2832 Nibqqh32.exe 2788 Nameek32.exe 2548 Nhgnaehm.exe 1216 Napbjjom.exe 2344 Ncnngfna.exe 1632 Nlefhcnc.exe 1896 Nabopjmj.exe 2684 Ndqkleln.exe 2044 Omioekbo.exe 1716 Odchbe32.exe 1572 Oaghki32.exe 892 Opihgfop.exe 2320 Ofcqcp32.exe -
Loads dropped DLL 64 IoCs
pid Process 2104 392fd72c3ff9c885a22a599a4d4274c97621774731edc007674760116e840fe8N.exe 2104 392fd72c3ff9c885a22a599a4d4274c97621774731edc007674760116e840fe8N.exe 2972 Fnacpffh.exe 2972 Fnacpffh.exe 2676 Fdmhbplb.exe 2676 Fdmhbplb.exe 2688 Fnflke32.exe 2688 Fnflke32.exe 2808 Gcgnnlle.exe 2808 Gcgnnlle.exe 2604 Gdkgkcpq.exe 2604 Gdkgkcpq.exe 2624 Gkglnm32.exe 2624 Gkglnm32.exe 2600 Hjlioj32.exe 2600 Hjlioj32.exe 3008 Hfcjdkpg.exe 3008 Hfcjdkpg.exe 1256 Hjofdi32.exe 1256 Hjofdi32.exe 2508 Hpphhp32.exe 2508 Hpphhp32.exe 1892 Hfjpdjjo.exe 1892 Hfjpdjjo.exe 2336 Ihpfgalh.exe 2336 Ihpfgalh.exe 2908 Ijqoilii.exe 2908 Ijqoilii.exe 2664 Iakgefqe.exe 2664 Iakgefqe.exe 336 Jdnmma32.exe 336 Jdnmma32.exe 1512 Jmfafgbd.exe 1512 Jmfafgbd.exe 1848 Jpigma32.exe 1848 Jpigma32.exe 2012 Jbhcim32.exe 2012 Jbhcim32.exe 848 Jkchmo32.exe 848 Jkchmo32.exe 1764 Jbjpom32.exe 1764 Jbjpom32.exe 1040 Koaqcn32.exe 1040 Koaqcn32.exe 580 Kaompi32.exe 580 Kaompi32.exe 2196 Kekiphge.exe 2196 Kekiphge.exe 836 Kaajei32.exe 836 Kaajei32.exe 2184 Knhjjj32.exe 2184 Knhjjj32.exe 288 Kadfkhkf.exe 288 Kadfkhkf.exe 2920 Kpgffe32.exe 2920 Kpgffe32.exe 2308 Knkgpi32.exe 2308 Knkgpi32.exe 2724 Knmdeioh.exe 2724 Knmdeioh.exe 2748 Klpdaf32.exe 2748 Klpdaf32.exe 2212 Lgehno32.exe 2212 Lgehno32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Olebgfao.exe Ofhjopbg.exe File created C:\Windows\SysWOW64\Qeppdo32.exe Qdncmgbj.exe File created C:\Windows\SysWOW64\Cdpkangm.dll Bdcifi32.exe File created C:\Windows\SysWOW64\Ccmpce32.exe Bjdkjpkb.exe File created C:\Windows\SysWOW64\Fdmhbplb.exe Fnacpffh.exe File created C:\Windows\SysWOW64\Ihpfgalh.exe Hfjpdjjo.exe File created C:\Windows\SysWOW64\Djbfplfp.dll Lfoojj32.exe File created C:\Windows\SysWOW64\Mkndhabp.exe Lhnkffeo.exe File created C:\Windows\SysWOW64\Pcaibd32.dll Cjakccop.exe File opened for modification C:\Windows\SysWOW64\Pgcmbcih.exe Pdeqfhjd.exe File opened for modification C:\Windows\SysWOW64\Adlcfjgh.exe Abmgjo32.exe File opened for modification C:\Windows\SysWOW64\Cileqlmg.exe Cnfqccna.exe File created C:\Windows\SysWOW64\Cnimiblo.exe Ckjamgmk.exe File opened for modification C:\Windows\SysWOW64\Fnacpffh.exe 392fd72c3ff9c885a22a599a4d4274c97621774731edc007674760116e840fe8N.exe File created C:\Windows\SysWOW64\Bpdokkbh.dll Mqnifg32.exe File created C:\Windows\SysWOW64\Nbflno32.exe Mpgobc32.exe File opened for modification C:\Windows\SysWOW64\Nnmlcp32.exe Nbflno32.exe File created C:\Windows\SysWOW64\Dpapaj32.exe Dmbcen32.exe File created C:\Windows\SysWOW64\Qiioon32.exe Qppkfhlc.exe File opened for modification C:\Windows\SysWOW64\Qeppdo32.exe Qdncmgbj.exe File opened for modification C:\Windows\SysWOW64\Bdcifi32.exe Bniajoic.exe File opened for modification C:\Windows\SysWOW64\Cnimiblo.exe Ckjamgmk.exe File created C:\Windows\SysWOW64\Blangfdh.dll Nhgnaehm.exe File created C:\Windows\SysWOW64\Bdclnelo.dll Nabopjmj.exe File created C:\Windows\SysWOW64\Pplaki32.exe Pmmeon32.exe File created C:\Windows\SysWOW64\Qppkfhlc.exe Pnbojmmp.exe File opened for modification C:\Windows\SysWOW64\Cfhkhd32.exe Cegoqlof.exe File opened for modification C:\Windows\SysWOW64\Dpapaj32.exe Dmbcen32.exe File created C:\Windows\SysWOW64\Decfggnn.dll Olebgfao.exe File created C:\Windows\SysWOW64\Pmpbdm32.exe Pplaki32.exe File created C:\Windows\SysWOW64\Hfjpdjjo.exe Hpphhp32.exe File opened for modification C:\Windows\SysWOW64\Mjfnomde.exe Mqnifg32.exe File created C:\Windows\SysWOW64\Adqaqk32.dll Nibqqh32.exe File opened for modification C:\Windows\SysWOW64\Oibmpl32.exe Ofcqcp32.exe File created C:\Windows\SysWOW64\Oaoplfhc.dll Bniajoic.exe File opened for modification C:\Windows\SysWOW64\ÿs.e¢e Dpapaj32.exe File opened for modification C:\Windows\SysWOW64\Jmfafgbd.exe Jdnmma32.exe File created C:\Windows\SysWOW64\Lhknaf32.exe Lldmleam.exe File created C:\Windows\SysWOW64\Padhdm32.exe Piicpk32.exe File created C:\Windows\SysWOW64\Pnbojmmp.exe Pcljmdmj.exe File opened for modification C:\Windows\SysWOW64\Lhnkffeo.exe Lfoojj32.exe File opened for modification C:\Windows\SysWOW64\Mkndhabp.exe Lhnkffeo.exe File created C:\Windows\SysWOW64\Nnmlcp32.exe Nbflno32.exe File created C:\Windows\SysWOW64\Fnacpffh.exe 392fd72c3ff9c885a22a599a4d4274c97621774731edc007674760116e840fe8N.exe File created C:\Windows\SysWOW64\Mahlae32.dll Jbhcim32.exe File created C:\Windows\SysWOW64\Klpdaf32.exe Knmdeioh.exe File created C:\Windows\SysWOW64\Lnjeilhc.dll Lgehno32.exe File opened for modification C:\Windows\SysWOW64\Ihpfgalh.exe Hfjpdjjo.exe File created C:\Windows\SysWOW64\Mmgfqh32.exe Mjhjdm32.exe File created C:\Windows\SysWOW64\Pdeqfhjd.exe Pljlbf32.exe File created C:\Windows\SysWOW64\Cnfqccna.exe Cmedlk32.exe File created C:\Windows\SysWOW64\Aaimopli.exe Acfmcc32.exe File created C:\Windows\SysWOW64\Qoblpdnf.dll Achjibcl.exe File created C:\Windows\SysWOW64\Kadfkhkf.exe Knhjjj32.exe File created C:\Windows\SysWOW64\Nibqqh32.exe Nnmlcp32.exe File opened for modification C:\Windows\SysWOW64\Pdeqfhjd.exe Pljlbf32.exe File created C:\Windows\SysWOW64\Acfmcc32.exe Aebmjo32.exe File created C:\Windows\SysWOW64\Hopbda32.dll Oemgplgo.exe File opened for modification C:\Windows\SysWOW64\Pmpbdm32.exe Pplaki32.exe File created C:\Windows\SysWOW64\Bchfhfeh.exe Bqijljfd.exe File created C:\Windows\SysWOW64\Oggfcl32.dll Hjofdi32.exe File created C:\Windows\SysWOW64\Lhgccebd.dll Kekiphge.exe File opened for modification C:\Windows\SysWOW64\Opihgfop.exe Oaghki32.exe File created C:\Windows\SysWOW64\Ihaiqn32.dll Obokcqhk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2348 2564 WerFault.exe 157 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgcmbcih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplaki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdcifi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjamgmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmfafgbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaompi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcqombic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padhdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjonncab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkgkcpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnngfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agjobffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohdmdoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achjibcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlioj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkchmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjfnomde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kekiphge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqijljfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqklqhpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnflke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqoilii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmdeioh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfoojj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iakgefqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loefnpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omioekbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnimiblo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bieopm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjhjdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabopjmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmpbdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bchfhfeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbojmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adlcfjgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdmhbplb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhcim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljddjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbflno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfqccna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cileqlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpapaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgffe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnkffeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmgjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnacpffh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaghki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdgic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpphhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndqkleln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofcqcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oibmpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmeon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmedlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpaop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaajei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piicpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnnai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcljmdmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmicfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljlbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qppkfhlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfcjdkpg.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmlmhlo.dll" Ljddjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aaimopli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll" Cnfqccna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll" Cinafkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpgffe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnjeilhc.dll" Lgehno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obokcqhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qiioon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebfidim.dll" Alqnah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kadfkhkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhknaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgehno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llbqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaimopli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnfddp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiofep.dll" Bkjdndjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdkgkcpq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgehno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klpdaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmfaflol.dll" Qppkfhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgddfe32.dll" Loefnpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Decfggnn.dll" Olebgfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpjqgjc.dll" Aohdmdoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmedlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhgccebd.dll" Kekiphge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lldmleam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpgobc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhdnm32.dll" Opihgfop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmmeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knhjjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mqklqhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcqombic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpgobc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhgnaehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kblikadd.dll" Pplaki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahbekjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cileqlmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdmhbplb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knkgpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekhchoj.dll" Gdkgkcpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhfpnk32.dll" Knkgpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alqnah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agjobffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbmcibjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjakccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdeobp32.dll" Fdmhbplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcgnnlle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djdgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pohbak32.dll" Mcqombic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnmlcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dombicdm.dll" Ooabmbbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dljdnm32.dll" Kaompi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mqnifg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bffbdadk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkglnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bchfhfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofhjopbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojefmknj.dll" Padhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcljmdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aacinhhc.dll" Aebmjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkjdndjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfcjdkpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhflfhh.dll" Knhjjj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2972 2104 392fd72c3ff9c885a22a599a4d4274c97621774731edc007674760116e840fe8N.exe 30 PID 2104 wrote to memory of 2972 2104 392fd72c3ff9c885a22a599a4d4274c97621774731edc007674760116e840fe8N.exe 30 PID 2104 wrote to memory of 2972 2104 392fd72c3ff9c885a22a599a4d4274c97621774731edc007674760116e840fe8N.exe 30 PID 2104 wrote to memory of 2972 2104 392fd72c3ff9c885a22a599a4d4274c97621774731edc007674760116e840fe8N.exe 30 PID 2972 wrote to memory of 2676 2972 Fnacpffh.exe 31 PID 2972 wrote to memory of 2676 2972 Fnacpffh.exe 31 PID 2972 wrote to memory of 2676 2972 Fnacpffh.exe 31 PID 2972 wrote to memory of 2676 2972 Fnacpffh.exe 31 PID 2676 wrote to memory of 2688 2676 Fdmhbplb.exe 32 PID 2676 wrote to memory of 2688 2676 Fdmhbplb.exe 32 PID 2676 wrote to memory of 2688 2676 Fdmhbplb.exe 32 PID 2676 wrote to memory of 2688 2676 Fdmhbplb.exe 32 PID 2688 wrote to memory of 2808 2688 Fnflke32.exe 33 PID 2688 wrote to memory of 2808 2688 Fnflke32.exe 33 PID 2688 wrote to memory of 2808 2688 Fnflke32.exe 33 PID 2688 wrote to memory of 2808 2688 Fnflke32.exe 33 PID 2808 wrote to memory of 2604 2808 Gcgnnlle.exe 34 PID 2808 wrote to memory of 2604 2808 Gcgnnlle.exe 34 PID 2808 wrote to memory of 2604 2808 Gcgnnlle.exe 34 PID 2808 wrote to memory of 2604 2808 Gcgnnlle.exe 34 PID 2604 wrote to memory of 2624 2604 Gdkgkcpq.exe 35 PID 2604 wrote to memory of 2624 2604 Gdkgkcpq.exe 35 PID 2604 wrote to memory of 2624 2604 Gdkgkcpq.exe 35 PID 2604 wrote to memory of 2624 2604 Gdkgkcpq.exe 35 PID 2624 wrote to memory of 2600 2624 Gkglnm32.exe 36 PID 2624 wrote to memory of 2600 2624 Gkglnm32.exe 36 PID 2624 wrote to memory of 2600 2624 Gkglnm32.exe 36 PID 2624 wrote to memory of 2600 2624 Gkglnm32.exe 36 PID 2600 wrote to memory of 3008 2600 Hjlioj32.exe 37 PID 2600 wrote to memory of 3008 2600 Hjlioj32.exe 37 PID 2600 wrote to memory of 3008 2600 Hjlioj32.exe 37 PID 2600 wrote to memory of 3008 2600 Hjlioj32.exe 37 PID 3008 wrote to memory of 1256 3008 Hfcjdkpg.exe 38 PID 3008 wrote to memory of 1256 3008 Hfcjdkpg.exe 38 PID 3008 wrote to memory of 1256 3008 Hfcjdkpg.exe 38 PID 3008 wrote to memory of 1256 3008 Hfcjdkpg.exe 38 PID 1256 wrote to memory of 2508 1256 Hjofdi32.exe 40 PID 1256 wrote to memory of 2508 1256 Hjofdi32.exe 40 PID 1256 wrote to memory of 2508 1256 Hjofdi32.exe 40 PID 1256 wrote to memory of 2508 1256 Hjofdi32.exe 40 PID 2508 wrote to memory of 1892 2508 Hpphhp32.exe 41 PID 2508 wrote to memory of 1892 2508 Hpphhp32.exe 41 PID 2508 wrote to memory of 1892 2508 Hpphhp32.exe 41 PID 2508 wrote to memory of 1892 2508 Hpphhp32.exe 41 PID 1892 wrote to memory of 2336 1892 Hfjpdjjo.exe 42 PID 1892 wrote to memory of 2336 1892 Hfjpdjjo.exe 42 PID 1892 wrote to memory of 2336 1892 Hfjpdjjo.exe 42 PID 1892 wrote to memory of 2336 1892 Hfjpdjjo.exe 42 PID 2336 wrote to memory of 2908 2336 Ihpfgalh.exe 43 PID 2336 wrote to memory of 2908 2336 Ihpfgalh.exe 43 PID 2336 wrote to memory of 2908 2336 Ihpfgalh.exe 43 PID 2336 wrote to memory of 2908 2336 Ihpfgalh.exe 43 PID 2908 wrote to memory of 2664 2908 Ijqoilii.exe 44 PID 2908 wrote to memory of 2664 2908 Ijqoilii.exe 44 PID 2908 wrote to memory of 2664 2908 Ijqoilii.exe 44 PID 2908 wrote to memory of 2664 2908 Ijqoilii.exe 44 PID 2664 wrote to memory of 336 2664 Iakgefqe.exe 45 PID 2664 wrote to memory of 336 2664 Iakgefqe.exe 45 PID 2664 wrote to memory of 336 2664 Iakgefqe.exe 45 PID 2664 wrote to memory of 336 2664 Iakgefqe.exe 45 PID 336 wrote to memory of 1512 336 Jdnmma32.exe 46 PID 336 wrote to memory of 1512 336 Jdnmma32.exe 46 PID 336 wrote to memory of 1512 336 Jdnmma32.exe 46 PID 336 wrote to memory of 1512 336 Jdnmma32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\392fd72c3ff9c885a22a599a4d4274c97621774731edc007674760116e840fe8N.exe"C:\Users\Admin\AppData\Local\Temp\392fd72c3ff9c885a22a599a4d4274c97621774731edc007674760116e840fe8N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Fnacpffh.exeC:\Windows\system32\Fnacpffh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Gcgnnlle.exeC:\Windows\system32\Gcgnnlle.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Gkglnm32.exeC:\Windows\system32\Gkglnm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Hfcjdkpg.exeC:\Windows\system32\Hfcjdkpg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Hpphhp32.exeC:\Windows\system32\Hpphhp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Iakgefqe.exeC:\Windows\system32\Iakgefqe.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\Jmfafgbd.exeC:\Windows\system32\Jmfafgbd.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1512 -
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\Jbhcim32.exeC:\Windows\system32\Jbhcim32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Windows\SysWOW64\Jkchmo32.exeC:\Windows\system32\Jkchmo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:848 -
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Kaompi32.exeC:\Windows\system32\Kaompi32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:580 -
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Kaajei32.exeC:\Windows\system32\Kaajei32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:836 -
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:288 -
C:\Windows\SysWOW64\Kpgffe32.exeC:\Windows\system32\Kpgffe32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Knkgpi32.exeC:\Windows\system32\Knkgpi32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Klpdaf32.exeC:\Windows\system32\Klpdaf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Lgehno32.exeC:\Windows\system32\Lgehno32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Lldmleam.exeC:\Windows\system32\Lldmleam.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Lhknaf32.exeC:\Windows\system32\Lhknaf32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Loefnpnn.exeC:\Windows\system32\Loefnpnn.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Lfoojj32.exeC:\Windows\system32\Lfoojj32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1144 -
C:\Windows\SysWOW64\Lhnkffeo.exeC:\Windows\system32\Lhnkffeo.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Windows\SysWOW64\Mkndhabp.exeC:\Windows\system32\Mkndhabp.exe40⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Mqklqhpg.exeC:\Windows\system32\Mqklqhpg.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Mgedmb32.exeC:\Windows\system32\Mgedmb32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Mqnifg32.exeC:\Windows\system32\Mqnifg32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:668 -
C:\Windows\SysWOW64\Mjfnomde.exeC:\Windows\system32\Mjfnomde.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\Mmdjkhdh.exeC:\Windows\system32\Mmdjkhdh.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\Mjhjdm32.exeC:\Windows\system32\Mjhjdm32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\Mmgfqh32.exeC:\Windows\system32\Mmgfqh32.exe47⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Mcqombic.exeC:\Windows\system32\Mcqombic.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Mmicfh32.exeC:\Windows\system32\Mmicfh32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:872 -
C:\Windows\SysWOW64\Mpgobc32.exeC:\Windows\system32\Mpgobc32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Nbflno32.exeC:\Windows\system32\Nbflno32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Nnmlcp32.exeC:\Windows\system32\Nnmlcp32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Nibqqh32.exeC:\Windows\system32\Nibqqh32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Nameek32.exeC:\Windows\system32\Nameek32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Nhgnaehm.exeC:\Windows\system32\Nhgnaehm.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Napbjjom.exeC:\Windows\system32\Napbjjom.exe56⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Ncnngfna.exeC:\Windows\system32\Ncnngfna.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\SysWOW64\Nlefhcnc.exeC:\Windows\system32\Nlefhcnc.exe58⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Nabopjmj.exeC:\Windows\system32\Nabopjmj.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1896 -
C:\Windows\SysWOW64\Ndqkleln.exeC:\Windows\system32\Ndqkleln.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Omioekbo.exeC:\Windows\system32\Omioekbo.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Windows\SysWOW64\Odchbe32.exeC:\Windows\system32\Odchbe32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Oaghki32.exeC:\Windows\system32\Oaghki32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Windows\SysWOW64\Opihgfop.exeC:\Windows\system32\Opihgfop.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Ofcqcp32.exeC:\Windows\system32\Ofcqcp32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\Oibmpl32.exeC:\Windows\system32\Oibmpl32.exe66⤵
- System Location Discovery: System Language Discovery
PID:984 -
C:\Windows\SysWOW64\Objaha32.exeC:\Windows\system32\Objaha32.exe67⤵
- System Location Discovery: System Language Discovery
PID:876 -
C:\Windows\SysWOW64\Olbfagca.exeC:\Windows\system32\Olbfagca.exe68⤵PID:2988
-
C:\Windows\SysWOW64\Ooabmbbe.exeC:\Windows\system32\Ooabmbbe.exe69⤵
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Ofhjopbg.exeC:\Windows\system32\Ofhjopbg.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Olebgfao.exeC:\Windows\system32\Olebgfao.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Obokcqhk.exeC:\Windows\system32\Obokcqhk.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Oemgplgo.exeC:\Windows\system32\Oemgplgo.exe73⤵
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Piicpk32.exeC:\Windows\system32\Piicpk32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Windows\SysWOW64\Padhdm32.exeC:\Windows\system32\Padhdm32.exe75⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Pdbdqh32.exeC:\Windows\system32\Pdbdqh32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2520 -
C:\Windows\SysWOW64\Pljlbf32.exeC:\Windows\system32\Pljlbf32.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Pdeqfhjd.exeC:\Windows\system32\Pdeqfhjd.exe78⤵
- Drops file in System32 directory
PID:1464 -
C:\Windows\SysWOW64\Pgcmbcih.exeC:\Windows\system32\Pgcmbcih.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\Pmmeon32.exeC:\Windows\system32\Pmmeon32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Pplaki32.exeC:\Windows\system32\Pplaki32.exe81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Pmpbdm32.exeC:\Windows\system32\Pmpbdm32.exe82⤵
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Windows\SysWOW64\Ppnnai32.exeC:\Windows\system32\Ppnnai32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:944 -
C:\Windows\SysWOW64\Pcljmdmj.exeC:\Windows\system32\Pcljmdmj.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Pnbojmmp.exeC:\Windows\system32\Pnbojmmp.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Windows\SysWOW64\Qppkfhlc.exeC:\Windows\system32\Qppkfhlc.exe86⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Qiioon32.exeC:\Windows\system32\Qiioon32.exe87⤵
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Qdncmgbj.exeC:\Windows\system32\Qdncmgbj.exe88⤵
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Qeppdo32.exeC:\Windows\system32\Qeppdo32.exe89⤵PID:2612
-
C:\Windows\SysWOW64\Aohdmdoh.exeC:\Windows\system32\Aohdmdoh.exe90⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Aebmjo32.exeC:\Windows\system32\Aebmjo32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Acfmcc32.exeC:\Windows\system32\Acfmcc32.exe92⤵
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Aaimopli.exeC:\Windows\system32\Aaimopli.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Ahbekjcf.exeC:\Windows\system32\Ahbekjcf.exe94⤵
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Achjibcl.exeC:\Windows\system32\Achjibcl.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1348 -
C:\Windows\SysWOW64\Alqnah32.exeC:\Windows\system32\Alqnah32.exe96⤵
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Abmgjo32.exeC:\Windows\system32\Abmgjo32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Windows\SysWOW64\Adlcfjgh.exeC:\Windows\system32\Adlcfjgh.exe98⤵
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Agjobffl.exeC:\Windows\system32\Agjobffl.exe99⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Bkhhhd32.exeC:\Windows\system32\Bkhhhd32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:592 -
C:\Windows\SysWOW64\Bnfddp32.exeC:\Windows\system32\Bnfddp32.exe101⤵
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Bkjdndjo.exeC:\Windows\system32\Bkjdndjo.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Bniajoic.exeC:\Windows\system32\Bniajoic.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Bdcifi32.exeC:\Windows\system32\Bdcifi32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\Bjpaop32.exeC:\Windows\system32\Bjpaop32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\Bqijljfd.exeC:\Windows\system32\Bqijljfd.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1080 -
C:\Windows\SysWOW64\Bchfhfeh.exeC:\Windows\system32\Bchfhfeh.exe107⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Bffbdadk.exeC:\Windows\system32\Bffbdadk.exe108⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Bieopm32.exeC:\Windows\system32\Bieopm32.exe109⤵
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Bqlfaj32.exeC:\Windows\system32\Bqlfaj32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:308 -
C:\Windows\SysWOW64\Bbmcibjp.exeC:\Windows\system32\Bbmcibjp.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Bjdkjpkb.exeC:\Windows\system32\Bjdkjpkb.exe112⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Ccmpce32.exeC:\Windows\system32\Ccmpce32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2812 -
C:\Windows\SysWOW64\Cmedlk32.exeC:\Windows\system32\Cmedlk32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Cnfqccna.exeC:\Windows\system32\Cnfqccna.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Cileqlmg.exeC:\Windows\system32\Cileqlmg.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:340 -
C:\Windows\SysWOW64\Ckjamgmk.exeC:\Windows\system32\Ckjamgmk.exe117⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Cnimiblo.exeC:\Windows\system32\Cnimiblo.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1148 -
C:\Windows\SysWOW64\Cinafkkd.exeC:\Windows\system32\Cinafkkd.exe119⤵
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Ckmnbg32.exeC:\Windows\system32\Ckmnbg32.exe120⤵PID:2480
-
C:\Windows\SysWOW64\Cjonncab.exeC:\Windows\system32\Cjonncab.exe121⤵
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\SysWOW64\Cjakccop.exeC:\Windows\system32\Cjakccop.exe122⤵
- Drops file in System32 directory
- Modifies registry class
PID:3028
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-